<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="keywords" content="Hexo Theme Redefine">
    
    <meta name="author" content="xiaoeryu">
    <!-- preconnect -->
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>

    
    <!--- Seo Part-->
    
    <link rel="canonical" href="https://xiaoeeyu.github.io/2022/11/14/andromeda木马分析/"/>
    <meta name="robots" content="index,follow">
    <meta name="googlebot" content="index,follow">
    <meta name="revisit-after" content="1 days">
    
    
    
        
        <meta name="description" content="样本简介   MD5 文件类型    44ff2421bbd7918c6ad68da4fa276e02 exe">
<meta property="og:type" content="article">
<meta property="og:title" content="Andromeda木马分析">
<meta property="og:url" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/index.html">
<meta property="og:site_name" content="xiaoeryu">
<meta property="og:description" content="样本简介   MD5 文件类型    44ff2421bbd7918c6ad68da4fa276e02 exe">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210621173535459.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613163748901.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210712225228859.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613170050764.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613172155974.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613174023213.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614211545714.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614203558637.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614204018971.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614204358356.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614205438515.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614205635004.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614212511913.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614213229679.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615215928628.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615220210230.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615220933949.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615221701331.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615223426537.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615224548100.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615225320320.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210621174956056.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617003253716.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617144509637.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617165346529.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617172343847.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617172751662.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617182706462.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617184302238.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617213637015.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210625144911095.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618003204591.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618100027438.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618151108108.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618151951237.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618160131848.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618161911590.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618180041834.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618222132923.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618222101458.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618222023450.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618230409713.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619004513010.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619005700963.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619173810398.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619174325026.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619201624743.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619210354720.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619220231614.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619224453665.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619230600359.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619231722619.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619234819467.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620112130335.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620110024956.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620154742685.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620003955673.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620004503674.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620162327198.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620163009867.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210625144750506.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706210151786.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706210941966.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210630233459555.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706215336940.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706215626718.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706220343714.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705214914849.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705215604773.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705221012684.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210707120259771.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210701211959385.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210707102207882.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155750770.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155621097.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210707103351430.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155829786.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155702049.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706161529651.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210704000806080.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706160912985.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705154023635.png">
<meta property="article:published_time" content="2022-11-14T14:01:58.000Z">
<meta property="article:modified_time" content="2022-11-14T14:14:52.562Z">
<meta property="article:author" content="xiaoeryu">
<meta property="article:tag" content="Andromeda木马">
<meta property="article:tag" content="windows木马">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xiaoeeyu.github.io/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210621173535459.png">
    
    
    <!--- Icon Part-->
    <link rel="icon" type="image/png" href="/images/rabete.jpg" sizes="192x192">
    <link rel="apple-touch-icon" sizes="180x180" href="/images/rabete.jpg">
    <meta name="theme-color" content="#A31F34">
    <link rel="shortcut icon" href="/images/rabete.jpg">
    <!--- Page Info-->
    
    <title>
        
            Andromeda木马分析 | xiaoeryu
        
    </title>

    
<link rel="stylesheet" href="/fonts/Chillax/chillax.css">


    <!--- Inject Part-->
    

    
<link rel="stylesheet" href="/css/style.css">


    
        
<link rel="stylesheet" href="/css/build/tailwind.css">

    

    
<link rel="stylesheet" href="/fonts/GeistMono/geist-mono.css">

    
<link rel="stylesheet" href="/fonts/Geist/geist.css">

    <!--- Font Part-->
    
    
    
    
    
    

    <script id="hexo-configurations">
    window.config = {"hostname":"xiaoeeyu.github.io","root":"/","language":"zh-CN","path":"search.xml"};
    window.theme = {"articles":{"style":{"font_size":"16px","line_height":1.5,"image_border_radius":"14px","image_alignment":"center","image_caption":false,"link_icon":true,"delete_mask":false,"title_alignment":"left","headings_top_spacing":{"h1":"3.2rem","h2":"2.4rem","h3":"1.9rem","h4":"1.6rem","h5":"1.4rem","h6":"1.3rem"}},"word_count":{"enable":true,"count":true,"min2read":true},"author_label":{"enable":true,"auto":false,"list":[]},"code_block":{"copy":true,"style":"mac","highlight_theme":{"light":"github","dark":"vs2015"},"font":{"enable":false,"family":null,"url":null}},"toc":{"enable":true,"max_depth":4,"number":false,"expand":true,"init_open":true},"copyright":{"enable":true,"default":"cc_by_nc_sa"},"lazyload":true,"pangu_js":false,"recommendation":{"enable":false,"title":"推荐阅读","limit":3,"mobile_limit":2,"placeholder":"/images/ball-0101.jpg","skip_dirs":[]}},"colors":{"primary":"#A31F34","secondary":null,"default_mode":"light"},"global":{"fonts":{"chinese":{"enable":false,"family":null,"url":null},"english":{"enable":false,"family":null,"url":null},"title":{"enable":false,"family":null,"url":null}},"content_max_width":"1000px","sidebar_width":"210px","hover":{"shadow":true,"scale":false},"scroll_progress":{"bar":false,"percentage":true},"website_counter":{"url":"https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js","enable":true,"site_pv":true,"site_uv":true,"post_pv":true},"single_page":true,"preloader":{"enable":false,"custom_message":null},"open_graph":true,"google_analytics":{"enable":false,"id":null}},"home_banner":{"enable":true,"style":"fixed","image":{"light":"/images/wallhaven-jxl31y.png","dark":"/images/wallhaven-o5762l.png"},"title":"XIAOERYU","subtitle":{"text":["明心见性，拨云见日","Don't wait, to create"],"hitokoto":{"enable":false,"show_author":false,"api":"https://v1.hitokoto.cn"},"typing_speed":100,"backing_speed":80,"starting_delay":500,"backing_delay":1500,"loop":true,"smart_backspace":true},"text_color":{"light":"#fff","dark":"#d1d1b6"},"text_style":{"title_size":"2.8rem","subtitle_size":"1.5rem","line_height":1.2},"custom_font":{"enable":false,"family":null,"url":null},"social_links":{"enable":true,"style":"default","links":{"github":"https://github.com/xiaoeeyu","instagram":null,"zhihu":null,"twitter":null,"email":"xiaoeryu@163.com"},"qrs":{"weixin":null}}},"plugins":{"feed":{"enable":false},"aplayer":{"enable":false,"type":"fixed","audios":[{"name":null,"artist":null,"url":null,"cover":null,"lrc":null}]},"mermaid":{"enable":false,"version":"9.3.0"}},"version":"2.8.2","navbar":{"auto_hide":false,"color":{"left":"#f78736","right":"#367df7","transparency":35},"width":{"home":"1200px","pages":"1000px"},"links":{"Home":{"path":"/","icon":"fa-regular fa-house"},"Archives":{"path":"/archives","icon":"fa-regular fa-archive"}},"search":{"enable":true,"preload":true}},"page_templates":{"friends_column":2,"tags_style":"blur"},"home":{"sidebar":{"enable":true,"position":"left","first_item":"menu","announcement":null,"show_on_mobile":true,"links":null},"article_date_format":"auto","excerpt_length":200,"categories":{"enable":true,"limit":3},"tags":{"enable":true,"limit":3}},"footerStart":"2022/8/17 11:45:14"};
    window.lang_ago = {"second":"%s 秒前","minute":"%s 分钟前","hour":"%s 小时前","day":"%s 天前","week":"%s 周前","month":"%s 个月前","year":"%s 年前"};
    window.data = {"masonry":false};
  </script>
    
    <!--- Fontawesome Part-->
    
<link rel="stylesheet" href="/fontawesome/fontawesome.min.css">

    
<link rel="stylesheet" href="/fontawesome/brands.min.css">

    
<link rel="stylesheet" href="/fontawesome/solid.min.css">

    
<link rel="stylesheet" href="/fontawesome/regular.min.css">

    
    
    
    
<meta name="generator" content="Hexo 6.3.0">
<style>.github-emoji { position: relative; display: inline-block; width: 1.2em; min-height: 1.2em; overflow: hidden; vertical-align: top; color: transparent; }  .github-emoji > span { position: relative; z-index: 10; }  .github-emoji img, .github-emoji .fancybox { margin: 0 !important; padding: 0 !important; border: none !important; outline: none !important; text-decoration: none !important; user-select: none !important; cursor: auto !important; }  .github-emoji img { height: 1.2em !important; width: 1.2em !important; position: absolute !important; left: 50% !important; top: 50% !important; transform: translate(-50%, -50%) !important; user-select: none !important; cursor: auto !important; } .github-emoji-fallback { color: inherit; } .github-emoji-fallback img { opacity: 0 !important; }</style>
</head>



<body>
	<div class="progress-bar-container">
	

	
	<span class="pjax-progress-bar"></span>
	<!--        <span class="swup-progress-icon">-->
	<!--            <i class="fa-solid fa-circle-notch fa-spin"></i>-->
	<!--        </span>-->
	
</div>

<main class="page-container" id="swup">

	

	<div class="main-content-container flex flex-col justify-between min-h-dvh">
		<div class="main-content-header">
			<header class="navbar-container px-6 md:px-12">
    <div class="navbar-content transition-navbar ">
        <div class="left">
            
                <a class="logo-image h-8 w-8 sm:w-10 sm:h-10 mr-3" href="/">
                    <img src="/images/rabete.jpg" class="w-full h-full rounded-sm">
                </a>
            
            <a class="logo-title" href="/">
                
                xiaoeryu
                
            </a>
        </div>

        <div class="right">
            <!-- PC -->
            <div class="desktop">
                <ul class="navbar-list">
                    
                        
                            

                            <li class="navbar-item">
                                <!-- Menu -->
                                <a class=""
                                   href="/"
                                        >
                                    <i class="fa-regular fa-house fa-fw"></i>
                                    首页
                                    
                                </a>

                                <!-- Submenu -->
                                
                            </li>
                    
                        
                            

                            <li class="navbar-item">
                                <!-- Menu -->
                                <a class=""
                                   href="/archives"
                                        >
                                    <i class="fa-regular fa-archive fa-fw"></i>
                                    归档
                                    
                                </a>

                                <!-- Submenu -->
                                
                            </li>
                    
                    
                        <li class="navbar-item search search-popup-trigger">
                            <i class="fa-solid fa-magnifying-glass"></i>
                        </li>
                    
                </ul>
            </div>
            <!-- Mobile -->
            <div class="mobile">
                
                    <div class="icon-item search search-popup-trigger"><i class="fa-solid fa-magnifying-glass"></i>
                    </div>
                
                <div class="icon-item navbar-bar">
                    <div class="navbar-bar-middle"></div>
                </div>
            </div>
        </div>
    </div>

    <!-- Mobile sheet -->
    <div class="navbar-drawer h-dvh w-full absolute top-0 left-0 bg-background-color flex flex-col justify-between">
        <ul class="drawer-navbar-list flex flex-col px-4 justify-center items-start">
            
                
                    

                    <li class="drawer-navbar-item text-base my-1.5 flex flex-col w-full">
                        
                        <a class="py-1.5 px-2 flex flex-row items-center justify-between gap-1 hover:!text-primary active:!text-primary text-2xl font-semibold group border-b border-border-color hover:border-primary w-full "
                           href="/"
                        >
                            <span>
                                首页
                            </span>
                            
                                <i class="fa-regular fa-house fa-sm fa-fw"></i>
                            
                        </a>
                        

                        
                    </li>
            
                
                    

                    <li class="drawer-navbar-item text-base my-1.5 flex flex-col w-full">
                        
                        <a class="py-1.5 px-2 flex flex-row items-center justify-between gap-1 hover:!text-primary active:!text-primary text-2xl font-semibold group border-b border-border-color hover:border-primary w-full "
                           href="/archives"
                        >
                            <span>
                                归档
                            </span>
                            
                                <i class="fa-regular fa-archive fa-sm fa-fw"></i>
                            
                        </a>
                        

                        
                    </li>
            

            
            
        </ul>

        <div class="statistics flex justify-around my-2.5">
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/tags">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">92</div>
        <div class="label text-third-text-color text-sm">标签</div>
    </a>
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/categories">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">14</div>
        <div class="label text-third-text-color text-sm">分类</div>
    </a>
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/archives">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">112</div>
        <div class="label text-third-text-color text-sm">文章</div>
    </a>
</div>
    </div>

    <div class="window-mask"></div>

</header>


		</div>

		<div class="main-content-body transition-fade-up">
			

			<div class="main-content">
				<div class="post-page-container flex relative justify-between box-border w-full h-full">
	<div class="article-content-container">

		<div class="article-title relative w-full">
			
			<div class="w-full flex items-center pt-6 justify-start">
				<h1 class="article-title-regular text-second-text-color tracking-tight text-4xl md:text-6xl font-semibold px-2 sm:px-6 md:px-8 py-3">Andromeda木马分析</h1>
			</div>
			
		</div>

		
		<div class="article-header flex flex-row gap-2 items-center px-2 sm:px-6 md:px-8">
			<div class="avatar w-[46px] h-[46px] flex-shrink-0 rounded-medium border border-border-color p-[1px]">
				<img src="/images/rabete.jpg">
			</div>
			<div class="info flex flex-col justify-between">
				<div class="author flex items-center">
					<span class="name text-default-text-color text-lg font-semibold">xiaoeryu</span>
					
					<span class="author-label ml-1.5 text-xs px-2 py-0.5 rounded-small text-third-text-color border border-shadow-color-1">Lv5</span>
					
				</div>
				<div class="meta-info">
					<div class="article-meta-info">
    <span class="article-date article-meta-item">
        <i class="fa-regular fa-pen-fancy"></i>&nbsp;
        <span class="desktop">2022-11-14 22:01:58</span>
        <span class="mobile">2022-11-14 22:01:58</span>
        <span class="hover-info">创建</span>
    </span>
    
        <span class="article-date article-meta-item">
            <i class="fa-regular fa-wrench"></i>&nbsp;
            <span class="desktop">2022-11-14 22:14:52</span>
            <span class="mobile">2022-11-14 22:14:52</span>
            <span class="hover-info">更新</span>
        </span>
    

    
        <span class="article-categories article-meta-item">
            <i class="fa-regular fa-folders"></i>&nbsp;
            <ul>
                
                
                    
                        
                        <li>
                            <a href="/categories/%E6%A0%B7%E6%9C%AC%E5%88%86%E6%9E%90/">样本分析</a>&nbsp;
                        </li>
                    
                    
                
            </ul>
        </span>
    
    
        <span class="article-tags article-meta-item">
            <i class="fa-regular fa-tags"></i>&nbsp;
            <ul>
                
                    <li>
                        <a href="/tags/Andromeda%E6%9C%A8%E9%A9%AC/">Andromeda木马</a>&nbsp;
                    </li>
                
                    <li>
                        | <a href="/tags/windows%E6%9C%A8%E9%A9%AC/">windows木马</a>&nbsp;
                    </li>
                
            </ul>
        </span>
    

    
    
    
    
        <span class="article-pv article-meta-item">
            <i class="fa-regular fa-eye"></i>&nbsp;<span id="busuanzi_value_page_pv"></span>
        </span>
    
</div>

				</div>
			</div>
		</div>
		

		


		<div class="article-content markdown-body px-2 sm:px-6 md:px-8 pb-8">
			<h1 id="样本简介"><a href="#样本简介" class="headerlink" title="样本简介"></a>样本简介</h1><table>
<thead>
<tr>
<th align="left">MD5</th>
<th>文件类型</th>
</tr>
</thead>
<tbody><tr>
<td align="left">44ff2421bbd7918c6ad68da4fa276e02</td>
<td>exe</td>
</tr>
</tbody></table>
<span id="more"></span>

<h1 id="攻击流程"><a href="#攻击流程" class="headerlink" title="攻击流程"></a>攻击流程</h1><img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210621173535459.png" class="" title="image-20210621173535459">

<h1 id="详细分析"><a href="#详细分析" class="headerlink" title="详细分析"></a>详细分析</h1><h2 id="行为分析"><a href="#行为分析" class="headerlink" title="行为分析"></a>行为分析</h2><p>行为监控：释放了大量可执行文件并执行</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613163748901.png" class="" title="image-20210613163748901">

<p>执行监控：</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210712225228859.png" class="" title="image-20210712225228859">

<p>进程监控：可以看到有大量个跨进程间操作；大致可以看到执行分了几个阶段：MD5.exe&gt;hwwefuxasa.exe&gt;MD5.exe&gt;msiexec.exe&gt;reyefiyevu.exe&gt;msiexec.exe&gt;wuauclt.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613170050764.png" class="" title="image-20210613170050764">

<p>文件创建监控：</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613172155974.png" class="" title="image-20210613172155974">

<p>文件删除监控：</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210613174023213.png" class="" title="image-20210613174023213">

<h2 id="第一阶段：MD5-exe"><a href="#第一阶段：MD5-exe" class="headerlink" title="第一阶段：MD5.exe"></a>第一阶段：MD5.exe</h2><p>释放了一些dll和exe文件在之后的下一阶段使用</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614211545714.png" class="" title="image-20210614211545714">

<p>创建temp文件夹路径并设置文件夹属性</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614203558637.png" class="" title="image-20210614203558637">

<p>在temp文件夹下创建文件</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614204018971.png" class="" title="image-20210614204018971">

<p>往文件内写入内容</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614204358356.png" class="" title="image-20210614204358356">

<p>设置文件时间</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614205438515.png" class="" title="image-20210614205438515">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614205635004.png" class="" title="image-20210614205635004">

<p>创建了一个exe文件&amp;几个dll文件+ric文件</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614212511913.png" class="" title="image-20210614212511913">

<p>启动heswfuxasa.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210614213229679.png" class="" title="image-20210614213229679">

<p>设置注册表启动heswfuxasa.exe启动附加调试器</p>
<h2 id="第二阶段：heswfuxasa-exe"><a href="#第二阶段：heswfuxasa-exe" class="headerlink" title="第二阶段：heswfuxasa.exe"></a>第二阶段：heswfuxasa.exe</h2><p>通过GetProcAddress来获取所需的函数</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615215928628.png" class="" title="image-20210615215928628">

<p>LoadLibrary来加载所需的模块</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615220210230.png" class="" title="image-20210615220210230">

<p>以挂起的方式创建进程</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615220933949.png" class="" title="image-20210615220933949">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615221701331.png" class="" title="image-20210615221701331">

<p>卸载挂起进程内存空间数据</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615223426537.png" class="" title="image-20210615223426537">

<p>以读写执行的权限在目标进程创建开辟内存空间</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615224548100.png" class="" title="image-20210615224548100">

<p>在内存中写入数据</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210615225320320.png" class="" title="image-20210615225320320">

<p>在执行到GetThreadContext的时候通过pContext参数指向的CONTEXT结构找到新的线程入口点</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210621174956056.png" class="" title="image-20210621174956056">

<p>然后在调用ResumeThread之前通过process Hacker修改一下线程入口点方便附加调试(这里可以使用<code>CC</code>或者<code>EB FE</code>来修改入口点)</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617003253716.png" class="" title="image-20210617003253716">

<h2 id="第三阶段：MD5-exe"><a href="#第三阶段：MD5-exe" class="headerlink" title="第三阶段：MD5.exe"></a>第三阶段：MD5.exe</h2><p>用x32Dbg附加调试，再将此处的内存修改为之前的内容（因为前面为了方便调试修改了两个字节为<code>EB FE</code>）</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617144509637.png" class="" title="image-20210617144509637">

<p>为当前进程加载新的资源模块</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617165346529.png" class="" title="image-20210617165346529">

<p>使用加密服务</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617172343847.png" class="" title="image-20210617172343847">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617172751662.png" class="" title="image-20210617172751662">

<p>拼接路径删除之前释放的文件</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617182706462.png" class="" title="image-20210617182706462">

<p>装载新的资源模块</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617184302238.png" class="" title="image-20210617184302238">

<p>继续以挂起的方式创建进程，创建自身的新进程并修改进程内存空间</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210617213637015.png" class="" title="image-20210617213637015">

<p>仍然在挂起处暂停，修改线程入口点为无限循环，方便附加调试(将<code>E8 90</code>改为<code>EB FE</code>)</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210625144911095.png" class="" title="image-20210625144911095">

<h2 id="第四阶段：MD5-exe"><a href="#第四阶段：MD5-exe" class="headerlink" title="第四阶段：MD5.exe"></a>第四阶段：MD5.exe</h2><p>获取系统快照信息来遍历进程：查找是否有卡巴的杀软avp.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618003204591.png" class="" title="image-20210618003204591">

<p>释放文件msiexec.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618100027438.png" class="" title="image-20210618100027438">

<p>将MD5.exe的内容拷贝到0F48F.tmp中，重新开辟一块内存空间并将数据读入开辟的内存</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618151108108.png" class="" title="image-20210618151108108">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618151951237.png" class="" title="image-20210618151951237">

<p>删除0FFBF.tmp文件</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618160131848.png" class="" title="image-20210618160131848">

<ul>
<li>使用ShellExecuteExW的方式启动msiexec.exe(可以设置注册表调试器附加启动)</li>
</ul>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618161911590.png" class="" title="image-20210618161911590">

<h2 id="第五阶段：msiexec-exe"><a href="#第五阶段：msiexec-exe" class="headerlink" title="第五阶段：msiexec.exe"></a>第五阶段：msiexec.exe</h2><p>获取当前用户使用的桌面语言：0x804表示简体中文</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618180041834.png" class="" title="image-20210618180041834">

<p>在<code>%temp%</code>目录下创建新的wehexukaje.Gav文件并写入内容</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618222132923.png" class="" title="image-20210618222132923">

<p>并修改文件时间</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618222101458.png" class="" title="image-20210618222101458">

<p>重新创建befunvatur.dll、Ziniyucenaqe.dll、xizitixeqob.dll、salebolotew.dll、reyefiyevu.exe、nst5FFB.tmp、</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618222023450.png" class="" title="image-20210618222023450">

<p>启动新进程reyefiyevu.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210618230409713.png" class="" title="image-20210618230409713">

<h2 id="第六阶段：reyefiyevu-exe"><a href="#第六阶段：reyefiyevu-exe" class="headerlink" title="第六阶段：reyefiyevu.exe"></a>第六阶段：reyefiyevu.exe</h2><p>通过IDA可以看到当前程序主要执行了，获取当前线程的句柄并修改优先级并加载xifuzinahi.dll的操作</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619004513010.png" class="" title="image-20210619004513010">

<p>加载xifuzinahi.dll之后做了一些开辟内存开辟，拷贝，获取模块以及字符串等操作</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619005700963.png" class="" title="image-20210619005700963">

<p>加载Ziniyucenaqe.dll获取用户默认的语言环境</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619173810398.png" class="" title="image-20210619173810398">

<p>加载Befunuvatur.dll后查看导=导入函数可以看到有一些进程和内存相关的操作，来动态调试一下</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619174325026.png" class="" title="image-20210619174325026">

<p>以挂起的方式创建进程msiexec.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619201624743.png" class="" title="image-20210619201624743">

<p>以修改线程OEP处内存为无限循环的方式附加进程msiexec.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619210354720.png" class="" title="image-20210619210354720">

<h2 id="第七阶段：msiexec-exe"><a href="#第七阶段：msiexec-exe" class="headerlink" title="第七阶段：msiexec.exe"></a>第七阶段：msiexec.exe</h2><p>加载新的资源</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619220231614.png" class="" title="image-20210619220231614">

<p>获取释放的文件名并删除</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619224453665.png" class="" title="image-20210619224453665">

<p>继续创建傀儡进程启动msiexec.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619230600359.png" class="" title="image-20210619230600359">

<p>修改线程OEP为无限循环<code>EB FE</code></p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619231722619.png" class="" title="image-20210619231722619">

<h2 id="第八阶段：msiexec-exe"><a href="#第八阶段：msiexec-exe" class="headerlink" title="第八阶段：msiexec.exe"></a>第八阶段：msiexec.exe</h2><p>创建一个互斥体来防止多开</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210619234819467.png" class="" title="image-20210619234819467">

<p>遍历当前进程</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620112130335.png" class="" title="image-20210620112130335">

<p>检测注册表<code>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum</code>下的键值</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620110024956.png" class="" title="image-20210620110024956">

<p>进入新写入的内存执行后续代码</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620154742685.png" class="" title="image-20210620154742685">

<p>将现有<code>%temp%</code>路径下的msiexec.exe拷贝到”C:\ProgramData\svchost.exe”</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620003955673.png" class="" title="image-20210620003955673">

<p>将”C:\ProgramData\svchost.exe”写入注册表自启动</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620004503674.png" class="" title="image-20210620004503674">

<p>使用文件映射（NtCreateSection<code>+</code>NtMapViewOfSection）的方式来执行远程进程注入</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620162327198.png" class="" title="image-20210620162327198">

<p>以挂起的方式创建wuauclt.exe</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210620163009867.png" class="" title="image-20210620163009867">

<p>修改线程OEP为无限循环（<code>EB FE</code>）</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210625144750506.png" class="" title="image-20210625144750506">

<h2 id="第九个阶段：wuauclt-exe"><a href="#第九个阶段：wuauclt-exe" class="headerlink" title="第九个阶段：wuauclt.exe"></a>第九个阶段：wuauclt.exe</h2><p>通过调用GetEnvironmentVariableW从环境变量获取启动程序的完整路径</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706210151786.png" class="" title="image-20210706210151786">

<p>再用SetEnvironmentVariableW传入空字符串来重置该变量</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706210941966.png" class="" title="image-20210706210941966">

<p>用获取到的系统卷信息创建一个互斥体防止进程多开</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210630233459555.png" class="" title="image-20210630233459555">

<p>创建一个新文件文件名和后缀米随机并将自身复制进去，写入注册表自启动之后再将msiexec.exe删除</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706215336940.png" class="" title="image-20210706215336940">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706215626718.png" class="" title="image-20210706215626718">

<p><strong>然后初始化网络创建新的线程</strong></p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706220343714.png" class="" title="image-20210706220343714">

<p>获取系统的版本号</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705214914849.png" class="" title="image-20210705214914849">

<p>查看注册表判断是否启用远程PRC限制</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705215604773.png" class="" title="image-20210705215604773">

<p>获取本地的IP</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705221012684.png" class="" title="image-20210705221012684">

<p>获取浏览器的cookie</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210707120259771.png" class="" title="image-20210707120259771">

<p>通过对发送消息的格式和前面的一些行为来判断可能是属于仙女座（Andromeda ）的样本</p>
<pre><code>id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu
id 值根据本地系统卷信息产生
bid 值是硬编码的，可能指编译id.
bv值也是硬编码的，可能指编译版本（目前是206h(518))
sv值代表受害机器的系统版本
pa值是调用ZwQueryInformationProcess API的返回值，用以确定OS是32位还是64位。
la值是根据www.update.microsoft.com的IP地址而生成的
ar值是调用CheckTokenMembership API的返回值，确认bot是否运行在管理员权限下。
</code></pre>
<p>加密前的字符串</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210701211959385.png" class="" title="image-20210701211959385">

<p>第一次加密：自定义加密</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210707102207882.png" class="" title="image-20210707102207882">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155750770.png" class="" title="image-20210706155750770">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155621097.png" class="" title="image-20210706155621097">

<p>二次加密：再经过base64加密</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210707103351430.png" class="" title="image-20210707103351430">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155829786.png" class="" title="image-20210706155829786">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706155702049.png" class="" title="image-20210706155702049">

<p>将数据发送往服务器并接收服务器返回的消息</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706161529651.png" class="" title="image-20210706161529651">

<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210704000806080.png" class="" title="image-20210704000806080">

<p>这是从网上找到的仙女座C&amp;C服务器的Web面板的图片</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210706160912985.png" class="" title="image-20210706160912985">

<p>如果服务器可以正常连接服务器下发数据包，病毒程序根据接收到的包解密后得到的ID执行不同的操作</p>
<img lazyload="" src="/images/loading.svg" data-src="/2022/11/14/Andromeda%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/image-20210705154023635.png" class="" title="image-20210705154023635">

<p>因为仙女座已经被摧毁后续的命令下发执行操作无法继续分析，通过前面的分析可以看到这是一个模块化的病毒样本，分阶段释放了大量的exe和dll文件最终注入了系统进程wuauclt.exe，并在多线程和内存中释放的多模块之间跳转执行并将上传和下载的信息都进行了加密处理一定程度上加大了分析的难度，具有较高的稳定性和隐蔽性。模块的功能有浏览器cookie抓取，本机信息获取等行为。</p>
<h2 id="IOC"><a href="#IOC" class="headerlink" title="IOC"></a>IOC</h2><p>xdqzpbcgrvkj.ru<br>orzdwjtvmein.in<br>anam0rph.su<br>ygiudewsqhct.in<br>bdcrqgonzmwuehky.nl<br>somicrososoft.ru<br>pe.suckmycocklameavindustry.in<br>sc.suckmycocklameavindustry.in</p>
<h2 id="释放的文件"><a href="#释放的文件" class="headerlink" title="释放的文件"></a>释放的文件</h2><table>
<thead>
<tr>
<th>文件名</th>
<th>MD5</th>
</tr>
</thead>
<tbody><tr>
<td>Befunuvatur.dll</td>
<td>5E1BD554B134DAF7753021CA7AE9C362</td>
</tr>
<tr>
<td>Fewuxusahif.dll</td>
<td>1e1120080170a963da2dc9461789f1c1</td>
</tr>
<tr>
<td>hewefuxasa.exe</td>
<td>9537cf2d215b97bc3effadd74e1a75c9</td>
</tr>
<tr>
<td>Hunoqoriqop.dll</td>
<td>ae057dff4e992c5208234b3d62b05f40</td>
</tr>
<tr>
<td>reyefiyevu.exe</td>
<td>c86fc56810ae163cbd8a728c4d501948</td>
</tr>
<tr>
<td>salebolotew.dll</td>
<td>d75174a7147f7a1c3fa59dcb60be70ad</td>
</tr>
<tr>
<td>vinoliwulab.dll</td>
<td>e255130efe8242a6e2573ba63a667f2d</td>
</tr>
<tr>
<td>wehexukaje.Gav</td>
<td>85d804cd262bfc55dcd09bbec078c1e9</td>
</tr>
<tr>
<td>xizitixeqob.dll</td>
<td>08d784e44da8fcf358b2c932ee318293</td>
</tr>
<tr>
<td>Zayimahizo.dll</td>
<td>5a8f117565e4add93e564ad9ac086c85</td>
</tr>
<tr>
<td>Ziniyucenaqe.dll</td>
<td>439b2205e6e881e64dde45b0c71f4dfe</td>
</tr>
<tr>
<td>msqvfea.bat</td>
<td>92804812b5fd9459f7cf3c2d607804c1</td>
</tr>
<tr>
<td>msiexec.exe</td>
<td>92804812b5fd9459f7cf3c2d607804c1</td>
</tr>
<tr>
<td>msyalicw.com</td>
<td>92804812b5fd9459f7cf3c2d607804c1</td>
</tr>
<tr>
<td>msozpgci.exe</td>
<td>eb069d27bae4c00dc581f670f2423bb8</td>
</tr>
</tbody></table>

		</div>

		
		<div class="post-copyright-info w-full my-8 px-2 sm:px-6 md:px-8">
			<div class="article-copyright-info-container">
    <ul>
        <li><strong>标题:</strong> Andromeda木马分析</li>
        <li><strong>作者:</strong> xiaoeryu</li>
        <li><strong>创建于
                :</strong> 2022-11-14 22:01:58</li>
        
            <li>
                <strong>更新于
                    :</strong> 2022-11-14 22:14:52
            </li>
        
        <li>
            <strong>链接:</strong> https://github.com/xiaoeryu/2022/11/14/Andromeda木马分析/
        </li>
        <li>
            <strong>
                版权声明:
            </strong>
            

            
                本文章采用 <a class="license" target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0">CC BY-NC-SA 4.0</a> 进行许可。
            
        </li>
    </ul>
</div>

		</div>
		

		
		<ul class="post-tags-box text-lg mt-1.5 flex-wrap justify-center flex md:hidden">
			
			<li class="tag-item mx-0.5">
				<a href="/tags/Andromeda%E6%9C%A8%E9%A9%AC/">#Andromeda木马</a>&nbsp;
			</li>
			
			<li class="tag-item mx-0.5">
				<a href="/tags/windows%E6%9C%A8%E9%A9%AC/">#windows木马</a>&nbsp;
			</li>
			
		</ul>
		

		

		
		<div class="article-nav my-8 flex justify-between items-center px-2 sm:px-6 md:px-8">
			
			<div class="article-prev border-border-color shadow-redefine-flat shadow-shadow-color-2 rounded-medium px-4 py-2 hover:shadow-redefine-flat-hover hover:shadow-shadow-color-2">
				<a class="prev" rel="prev" href="/2022/12/11/22-%E8%BF%9B%E5%85%A5%E4%BF%9D%E6%8A%A4%E6%A8%A1%E5%BC%8F/">
					<span class="left arrow-icon flex justify-center items-center">
						<i class="fa-solid fa-chevron-left"></i>
					</span>
					<span class="title flex justify-center items-center">
						<span class="post-nav-title-item">进入保护模式</span>
						<span class="post-nav-item">上一篇</span>
					</span>
				</a>
			</div>
			
			
			<div class="article-next border-border-color shadow-redefine-flat shadow-shadow-color-2 rounded-medium px-4 py-2 hover:shadow-redefine-flat-hover hover:shadow-shadow-color-2">
				<a class="next" rel="next" href="/2021/09/08/010EDIT%E7%A0%B4%E8%A7%A3-%E6%B3%A8%E5%86%8C%E6%9C%BA/">
					<span class="title flex justify-center items-center">
						<span class="post-nav-title-item">010EDIT破解&amp;注册机</span>
						<span class="post-nav-item">下一篇</span>
					</span>
					<span class="right arrow-icon flex justify-center items-center">
						<i class="fa-solid fa-chevron-right"></i>
					</span>
				</a>
			</div>
			
		</div>
		


		
		<div class="comment-container px-2 sm:px-6 md:px-8 pb-8">
			<div class="comments-container mt-10 w-full ">
    <div id="comment-anchor" class="w-full h-2.5"></div>
    <div class="comment-area-title w-full my-1.5 md:my-2.5 text-xl md:text-3xl font-bold">
        评论
    </div>
    

        
            


        
    
</div>

		</div>
		
	</div>

	
	<div class="toc-content-container">
		<div class="post-toc-wrap">
	<div class="post-toc">
		<div class="toc-title">目录</div>
		<div class="page-title">Andromeda木马分析</div>
		<ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#%E6%A0%B7%E6%9C%AC%E7%AE%80%E4%BB%8B"><span class="nav-text">样本简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E6%94%BB%E5%87%BB%E6%B5%81%E7%A8%8B"><span class="nav-text">攻击流程</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90"><span class="nav-text">详细分析</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E8%A1%8C%E4%B8%BA%E5%88%86%E6%9E%90"><span class="nav-text">行为分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E4%B8%80%E9%98%B6%E6%AE%B5%EF%BC%9AMD5-exe"><span class="nav-text">第一阶段：MD5.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E4%BA%8C%E9%98%B6%E6%AE%B5%EF%BC%9Aheswfuxasa-exe"><span class="nav-text">第二阶段：heswfuxasa.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E4%B8%89%E9%98%B6%E6%AE%B5%EF%BC%9AMD5-exe"><span class="nav-text">第三阶段：MD5.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E5%9B%9B%E9%98%B6%E6%AE%B5%EF%BC%9AMD5-exe"><span class="nav-text">第四阶段：MD5.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E4%BA%94%E9%98%B6%E6%AE%B5%EF%BC%9Amsiexec-exe"><span class="nav-text">第五阶段：msiexec.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E5%85%AD%E9%98%B6%E6%AE%B5%EF%BC%9Areyefiyevu-exe"><span class="nav-text">第六阶段：reyefiyevu.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E4%B8%83%E9%98%B6%E6%AE%B5%EF%BC%9Amsiexec-exe"><span class="nav-text">第七阶段：msiexec.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E5%85%AB%E9%98%B6%E6%AE%B5%EF%BC%9Amsiexec-exe"><span class="nav-text">第八阶段：msiexec.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AC%AC%E4%B9%9D%E4%B8%AA%E9%98%B6%E6%AE%B5%EF%BC%9Awuauclt-exe"><span class="nav-text">第九个阶段：wuauclt.exe</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#IOC"><span class="nav-text">IOC</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%87%8A%E6%94%BE%E7%9A%84%E6%96%87%E4%BB%B6"><span class="nav-text">释放的文件</span></a></li></ol></li></ol>

	</div>
</div>
	</div>
	
</div>
			</div>

			
		</div>

		<div class="main-content-footer">
			<footer class="footer mt-5 py-5 h-auto text-base text-third-text-color relative border-t-2 border-t-border-color">
    <div class="info-container py-3 text-center">
        
        <div class="text-center">
            &copy;
            
              <span>2022</span>
              -
            
            2025&nbsp;&nbsp;<i class="fa-solid fa-heart fa-beat" style="--fa-animation-duration: 0.5s; color: #f54545"></i>&nbsp;&nbsp;<a href="/">xiaoeryu</a>
            
                
                <p class="post-count space-x-0.5">
                    <span>
                        共撰写了 112 篇文章
                    </span>
                    
                </p>
            
        </div>
        
            <script data-swup-reload-script src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
            <div class="relative text-center lg:absolute lg:right-[20px] lg:top-1/2 lg:-translate-y-1/2 lg:text-right">
                
                    <span id="busuanzi_container_site_uv" class="lg:!block">
                        <span class="text-sm">访问人数</span>
                        <span id="busuanzi_value_site_uv"></span>
                    </span>
                
                
                    <span id="busuanzi_container_site_pv" class="lg:!block">
                        <span class="text-sm">总访问量</span>
                        <span id="busuanzi_value_site_pv"></span>
                    </span>
                
            </div>
        
        <div class="relative text-center lg:absolute lg:left-[20px] lg:top-1/2 lg:-translate-y-1/2 lg:text-left">
            <span class="lg:block text-sm">由 <?xml version="1.0" encoding="utf-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg class="relative top-[2px] inline-block align-baseline" version="1.1" id="圖層_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1rem" height="1rem" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve"><path fill="#0E83CD" d="M256.4,25.8l-200,115.5L56,371.5l199.6,114.7l200-115.5l0.4-230.2L256.4,25.8z M349,354.6l-18.4,10.7l-18.6-11V275H200v79.6l-18.4,10.7l-18.6-11v-197l18.5-10.6l18.5,10.8V237h112v-79.6l18.5-10.6l18.5,10.8V354.6z"/></svg><a target="_blank" class="text-base" href="https://hexo.io">Hexo</a> 驱动</span>
            <span class="text-sm lg:block">主题&nbsp;<a class="text-base" target="_blank" href="https://github.com/EvanNotFound/hexo-theme-redefine">Redefine v2.8.2</a></span>
        </div>
        
        
            <div>
                博客已运行 <span class="odometer" id="runtime_days" ></span> 天 <span class="odometer" id="runtime_hours"></span> 小时 <span class="odometer" id="runtime_minutes"></span> 分钟 <span class="odometer" id="runtime_seconds"></span> 秒
            </div>
        
        
            <script data-swup-reload-script>
                try {
                    function odometer_init() {
                    const elements = document.querySelectorAll('.odometer');
                    elements.forEach(el => {
                        new Odometer({
                            el,
                            format: '( ddd).dd',
                            duration: 200
                        });
                    });
                    }
                    odometer_init();
                } catch (error) {}
            </script>
        
        
        
    </div>  
</footer>
		</div>
	</div>

	
	<div class="post-tools">
		<div class="post-tools-container">
	<ul class="article-tools-list">
		<!-- TOC aside toggle -->
		
		<li class="right-bottom-tools page-aside-toggle">
			<i class="fa-regular fa-outdent"></i>
		</li>
		

		<!-- go comment -->
		
		<li class="go-comment">
			<i class="fa-regular fa-comments"></i>
		</li>
		
	</ul>
</div>
	</div>
	

	<div class="right-side-tools-container">
		<div class="side-tools-container">
	<ul class="hidden-tools-list">
		<li class="right-bottom-tools tool-font-adjust-plus flex justify-center items-center">
			<i class="fa-regular fa-magnifying-glass-plus"></i>
		</li>

		<li class="right-bottom-tools tool-font-adjust-minus flex justify-center items-center">
			<i class="fa-regular fa-magnifying-glass-minus"></i>
		</li>

		<li class="right-bottom-tools tool-dark-light-toggle flex justify-center items-center">
			<i class="fa-regular fa-moon"></i>
		</li>

		<!-- rss -->
		

		

		<li class="right-bottom-tools tool-scroll-to-bottom flex justify-center items-center">
			<i class="fa-regular fa-arrow-down"></i>
		</li>
	</ul>

	<ul class="visible-tools-list">
		<li class="right-bottom-tools toggle-tools-list flex justify-center items-center">
			<i class="fa-regular fa-cog fa-spin"></i>
		</li>
		
		<li class="right-bottom-tools tool-scroll-to-top flex justify-center items-center">
			<i class="arrow-up fas fa-arrow-up"></i>
			<span class="percent"></span>
		</li>
		
		
	</ul>
</div>
	</div>

	<div class="image-viewer-container">
	<img src="">
</div>

	
	<div class="search-pop-overlay">
	<div class="popup search-popup">
		<div class="search-header">
			<span class="search-input-field-pre">
				<i class="fa-solid fa-keyboard"></i>
			</span>
			<div class="search-input-container">
				<input autocomplete="off" autocorrect="off" autocapitalize="off" placeholder="站内搜索您需要的内容..." spellcheck="false" type="search" class="search-input">
			</div>
			<span class="popup-btn-close">
				<i class="fa-solid fa-times"></i>
			</span>
		</div>
		<div id="search-result">
			<div id="no-result">
				<i class="fa-solid fa-spinner fa-spin-pulse fa-5x fa-fw"></i>
			</div>
		</div>
	</div>
</div>
	

</main>



<script src="/js/build/libs/Swup.min.js"></script>

<script src="/js/build/libs/SwupSlideTheme.min.js"></script>

<script src="/js/build/libs/SwupScriptsPlugin.min.js"></script>

<script src="/js/build/libs/SwupProgressPlugin.min.js"></script>

<script src="/js/build/libs/SwupScrollPlugin.min.js"></script>

<script src="/js/build/libs/SwupPreloadPlugin.min.js"></script>

<script>
    const swup = new Swup({
        plugins: [
            new SwupScriptsPlugin({
                optin: true,
            }),
            new SwupProgressPlugin(),
            new SwupScrollPlugin({
                offset: 80,
            }),
            new SwupSlideTheme({
                mainElement: ".main-content-body",
            }),
            new SwupPreloadPlugin(),
        ],
        containers: ["#swup"],
    });
</script>




	
<script src="/js/build/tools/imageViewer.js" type="module"></script>

<script src="/js/build/utils.js" type="module"></script>

<script src="/js/build/main.js" type="module"></script>

<script src="/js/build/layouts/navbarShrink.js" type="module"></script>

<script src="/js/build/tools/scrollTopBottom.js" type="module"></script>

<script src="/js/build/tools/lightDarkSwitch.js" type="module"></script>

<script src="/js/build/layouts/categoryList.js" type="module"></script>



    
<script src="/js/build/tools/localSearch.js" type="module"></script>




    
<script src="/js/build/tools/codeBlock.js" type="module"></script>




    
<script src="/js/build/layouts/lazyload.js" type="module"></script>




    
<script src="/js/build/tools/runtime.js"></script>

    
<script src="/js/build/libs/odometer.min.js"></script>

    
<link rel="stylesheet" href="/assets/odometer-theme-minimal.css">




  
<script src="/js/build/libs/Typed.min.js"></script>

  
<script src="/js/build/plugins/typed.js" type="module"></script>








    
<script src="/js/build/libs/anime.min.js"></script>





    
<script src="/js/build/tools/tocToggle.js" type="module" data-swup-reload-script=""></script>

<script src="/js/build/layouts/toc.js" type="module" data-swup-reload-script=""></script>

<script src="/js/build/plugins/tabs.js" type="module" data-swup-reload-script=""></script>




<script src="/js/build/libs/moment-with-locales.min.js" data-swup-reload-script=""></script>


<script src="/js/build/layouts/essays.js" type="module" data-swup-reload-script=""></script>





	
</body>

</html>